L
L
Leonid2016-09-27 13:35:18
PHP
Leonid, 2016-09-27 13:35:18

Two options for authorizing a mobile application on a website through Ajax requests - what do you think?

So, there is a mobile application (PhoneGap + Framework7) that interacts with a PHP site through AJAX requests. The application has sections requiring authorized access. It is desirable that after auntification the application does not ask the user for a username and password within 6 months.

I want to use tokens, but only in my own way. There are two ideas:

1) After authentication, the application receives a token in response, stores it in localStorage, and then for all its AJAX requests to the server, adds the value of this token to the HTTP header: Authorization. On the side of the site, the token is verified / validated, and if the Ajax request requires authorization, then authorization by this token takes place before it is executed.

2) After authentication, the application receives token and PHPSESSID in response and stores them in localStorage and then for all its AJAX requests to the server adds the values ​​of these: token and PHPSESSID to the HTTP header: Authorization. On the site side, the existence/activity of a PHP session with id =PHPSESSID is checked, if such a session exists, then the PHPSESSID value is written to $_COOKIE['PHPSESSID'] - thus we connect the request to the PHP session, if there is no such session, then authentication/authorization takes place via a token, the id of the current (new) user session is taken, and PHPSESSID is transmitted in the response through some HTTP header. The mobile app updates the PHPSESSID value in localStorage for use in subsequent Ajax requests.

Which option would you choose and why?
Can you suggest any third option?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
I
Ivanq, 2016-09-27
@Ivanq

Maybe I don't understand something, but why Authorization? I thought he needed someone else. Why is it worse to store the token in cookies, and get the token from there on the server?

S
Simple91, 2016-10-11
@Simple91

I used to do as in the first option, I saved the data in LocalStorage and after that in each request I sent this data to the server.
On the page where authorization is needed, there is a script that accesses the database and checks the user, if there is one and he has enough rights to view the document, the content is shown to him.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question